{"id":1740,"date":"2023-05-01T22:10:00","date_gmt":"2023-05-02T03:10:00","guid":{"rendered":"https:\/\/lab.rapternet.us\/?p=1740"},"modified":"2023-02-12T14:16:10","modified_gmt":"2023-02-12T20:16:10","slug":"network-layout","status":"publish","type":"post","link":"https:\/\/lab.rapternet.us\/?p=1740","title":{"rendered":"Network Layout"},"content":{"rendered":"\n<p>Here is a rough guide of how I have my network laid out. I haven&#8217;t really documented it before, so hopefully this covers the major points. I use a number of VLANS in my network to keep the IOT devices from being security threats, and prevent security devices from being able to access the internet (like security cameras).  <\/p>\n\n\n\n<p>I will write up a longer guide later on when I have some time, for now the short of it. The hardware is mostly Unifi gear with a Unifi controller running on my Proxmox host. This is the same host I run home assistant on (all virtual machines). The Unifi controller lets me configure my whole network in one pane of glass, its a bit of a pain at times, but for me the convenience has outweighed the higher price and limitations so far.<\/p>\n\n\n\n<!--more-->\n\n\n\n<h2 class=\"wp-block-heading\">Hardware<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Unifi USG pro4 (firewall)<\/li>\n\n\n\n<li>Unifi 24 port 300W POE switch (discontinued beta equipment, but amazing)<\/li>\n\n\n\n<li>Unifi 16 port 50W POE switch<\/li>\n\n\n\n<li>Various Unifi 8 port POE powered switches<\/li>\n\n\n\n<li>Unifi AP U6 Lite (Wi-Fi 6 AP) * 2<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">VLANs<\/h2>\n\n\n\n<p>I setup my VLANs to provide minimum access without removing convenience. This is why my main LAN network has access to all VLANs, while not all VLANs have access back to it. My VLANs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IOT secure\n<ul class=\"wp-block-list\">\n<li>Rules\n<ul class=\"wp-block-list\">\n<li>\u274c No internet<\/li>\n\n\n\n<li>\u2714 LAN access<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Devices\n<ul class=\"wp-block-list\">\n<li>WLED<\/li>\n\n\n\n<li>EspHome<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>IOT\n<ul class=\"wp-block-list\">\n<li>Rules\n<ul class=\"wp-block-list\">\n<li>\u2714 Internet access<\/li>\n\n\n\n<li>\u274c No LAN access<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Devices\n<ul class=\"wp-block-list\">\n<li>Ring cameras<\/li>\n\n\n\n<li>Ring chimes<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>LAN\n<ul class=\"wp-block-list\">\n<li>Rules\n<ul class=\"wp-block-list\">\n<li>\u2714 Access to internet<\/li>\n\n\n\n<li>\u2714 Access to all VLANs<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Devices\n<ul class=\"wp-block-list\">\n<li>Laptops<\/li>\n\n\n\n<li>Servers<\/li>\n\n\n\n<li>Desktops<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Cameras\n<ul class=\"wp-block-list\">\n<li>Rules\n<ul class=\"wp-block-list\">\n<li>\u274c No LAN access<\/li>\n\n\n\n<li>\u274c No Internet access<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Devices\n<ul class=\"wp-block-list\">\n<li>Amcrest cameras<\/li>\n\n\n\n<li>Unifi cameras<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>I have some others but they aren&#8217;t as necessary for the smart home stuff, more on other self hosting. This layout lets me put Ring Devices, ROKUs, and other devices onto a network to prevent them from being an intrusion point, but also allow them to work as expected. The IOT secure network is where my tasmota, esphome, and other wifi devices talk, none of these need internet access, but since some talk through MQTT, they need the ability to talk to my LAN (a future security improvement could be to just allow a single port for MQTT through to the LAN).<\/p>\n\n\n\n<p>I got MDNS working across VLANs recently by using a firewall magic rule: <a rel=\"noreferrer noopener\" href=\"https:\/\/lab.rapternet.us\/?p=1486\" target=\"_blank\">This blog post<\/a> has more details about it. This helps with getting some IOT devices talking between VLANs (like ESPhome advertising hostnames to home assistant, enabling quicker setup). Below are firewall rules and configurations from these settings.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"184\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-22-1024x184.png\" alt=\"\" class=\"wp-image-2680\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-22-1024x184.png 1024w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-22-300x54.png 300w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-22-768x138.png 768w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-22.png 1440w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><figcaption class=\"wp-element-caption\">WAN-IN Rules<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"190\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-23-1024x190.png\" alt=\"\" class=\"wp-image-2681\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-23-1024x190.png 1024w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-23-300x56.png 300w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-23-768x142.png 768w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-23.png 1435w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><figcaption class=\"wp-element-caption\">WAN-OUT Rules<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"371\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-24-1024x371.png\" alt=\"\" class=\"wp-image-2682\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-24-1024x371.png 1024w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-24-300x109.png 300w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-24-768x278.png 768w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2023\/02\/image-24.png 1484w\" sizes=\"auto, (max-width: 767px) 89vw, (max-width: 1000px) 54vw, (max-width: 1071px) 543px, 580px\" \/><figcaption class=\"wp-element-caption\">LAN-IN Rules<\/figcaption><\/figure>\n\n\n\n<p>Below is going to be further detail settings from my firewall rules.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"708\" height=\"859\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-24.png\" alt=\"\" class=\"wp-image-1776\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-24.png 708w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-24-247x300.png 247w\" sizes=\"auto, (max-width: 708px) 100vw, 708px\" \/><figcaption class=\"wp-element-caption\">WAN IN Block Internet to IOT-S (same rule for cameras too)<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"756\" height=\"866\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-25.png\" alt=\"\" class=\"wp-image-1777\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-25.png 756w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-25-262x300.png 262w\" sizes=\"auto, (max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><figcaption class=\"wp-element-caption\">WAN-OUT IOT-S Blocked from internet<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"738\" height=\"865\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-26.png\" alt=\"\" class=\"wp-image-1779\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-26.png 738w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-26-256x300.png 256w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><figcaption class=\"wp-element-caption\">LAN-IN Cameras<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"763\" height=\"862\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-27.png\" alt=\"\" class=\"wp-image-1780\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-27.png 763w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-27-266x300.png 266w\" sizes=\"auto, (max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><figcaption class=\"wp-element-caption\">LAN-IN IOT blocked from LAN<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"685\" height=\"858\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-28.png\" alt=\"\" class=\"wp-image-1781\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-28.png 685w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-28-240x300.png 240w\" sizes=\"auto, (max-width: 685px) 100vw, 685px\" \/><figcaption class=\"wp-element-caption\">LAN-IN LAN to VLANs<\/figcaption><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"672\" height=\"873\" src=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-29.png\" alt=\"\" class=\"wp-image-1783\" srcset=\"https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-29.png 672w, https:\/\/lab.rapternet.us\/wp-content\/uploads\/2022\/02\/image-29-231x300.png 231w\" sizes=\"auto, (max-width: 672px) 100vw, 672px\" \/><figcaption class=\"wp-element-caption\">WAN-IN block IOT network<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"conclusion\">Conclusion<\/h2>\n\n\n\n<p>I&#8217;ve been running with this VLAN layout and network for a few years now. Its been working out amazingly well, with the main complaint being that I wish I could run with fewer WiFi SSIDs. The Unifi access points end up complaining about too many SSIDs to me and I have to click through some acknowledgements. Maybe I can find a good way to reduce the SSIDs, but still, this being my only complaint, I&#8217;m very happy with my network layout and security.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"resources\">Resources<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/lab.rapternet.us\/?p=1486\">mDNS magic rule<\/a><\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"acronyms\">Acronyms<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AP: Wi-Fi Access Point<\/li>\n\n\n\n<li>LAN: Local Area Network<\/li>\n\n\n\n<li>VLAN: Virtual Local Area Network<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Here is a rough guide of how I have my network laid out. I haven&#8217;t really documented it before, so hopefully this covers the major points. I use a number of VLANS in my network to keep the IOT devices from being security threats, and prevent security devices from being able to access the internet &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/lab.rapternet.us\/?p=1740\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Network Layout&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[39,67,49,35],"class_list":["post-1740","post","type-post","status-publish","format-standard","hentry","category-networking","tag-home-assistant","tag-network","tag-smart-home","tag-unifi"],"_links":{"self":[{"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=\/wp\/v2\/posts\/1740","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1740"}],"version-history":[{"count":24,"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=\/wp\/v2\/posts\/1740\/revisions"}],"predecessor-version":[{"id":2685,"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=\/wp\/v2\/posts\/1740\/revisions\/2685"}],"wp:attachment":[{"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1740"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1740"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lab.rapternet.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1740"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}